Ping Identity SCIM Integration

System for cross-domain identity management (SCIM) can be used to automatically provision and de-provision members and groups in your Bitwarden organization.

This article will help you configure a SCIM integration with Ping Identity. Configuration involves working simultaneously with the Bitwarden web vault and Ping Identity Administrator dashboard. As you proceed, we recommend having both readily available and completing steps in the order they are documented.

To start your SCIM integration, open the Admin Console and navigate to Settings → SCIM provisioning:

Select the Enable SCIM checkbox and take note of your SCIM URL and SCIM API Key. You will need to use both values in a later step.

1. Navigate to provisioning  New Connection.
   

   

2. In the Create a New Connection window, choose the Select option for Identity Store.

3. In the Identity Store, enter SCIM into the search box and select SCIM Outbound. Once this step is complete, select Next.
   

   

4. Input a Name and Description for the SCIM connection.

5. Next, you will be required to input the SCIM BASE URL. Copy the SCIM URL value located on the Enable SCIM page in the Bitwarden Admin Console and paste it into this field.

6. Using the Authentication Method dropdown menu, select OAuth 2 Bearer Token. A field will appear named Oauth Access Token, paste the SCIM API key value from the Bitwarden Admin Console into this field.
   

   

7. Once setup is complete, you may select Test Connection. If successful, select Next.

8. On the Configure Preferences page, select desired preferences and actions.
   

   note

   Setting the Remove Action setting to Disable will result in Bitwarden users being moved to Revoked status rather if the user fails to meet the filter criteria set on Ping Identity. Restoring the criteria will return the user to their previous state.
   
   If the Remove Action is set to Delete, the same action will deprovision the user.

9. Select Save once complete. Select the newly created Connection and enable the Connection using the toggle.
   

   

Before syncing user groups and directories, a Rule is required to sync the user groups to Bitwarden SCIM.

1. Return to the Provisioning Screen.

2. Select the Rules tab and then  New Rule.

3. Enter an app specific name for the Rule and select Create Rule.

4. Edit the new Rule in the Configuration tab. Select Bitwarden SCIM connection and then Save.
   

   

5. Select the Configuration tab and add a  User Filter. For more information, see the Ping Identity documentation. Select Save once complete.
   

   

6. Enable the Rule using the toggle.
   

   

1. To assign groups, return to the Provisioning screen and select the rule  Edit Group Provisioning.
   

   

2. Choose the group or groups to provision and select Save. Once saved, the directory will trigger a sync.

Both the Bitwarden and Ping Identity SCIM Provisioner with SAML (SCIM v2 Enterprise) applications use standard SCIM v2 attribute names. Bitwarden will use the following attributes:

User attributes

• active

• emailsª or userName

• displayName

• externalId

ª - Because SCIM allows users to have multiple email addresses expressed as an array of objects, Bitwarden will use the value of the object which contains "primary": true.

Group attributes

For each group, Bitwarden will use the following attributes:

• displayName (required)

• membersª

• externalId

ª - members is an array of objects, each object representing a user in that group.